Privacy: What Developers and IT Professionals Should Know
by Zaklina Supica - Wednesday, 19 January 2005.
Author: J. C. Cannon
Pages: 384
Publisher: Addison-Wesley
ISBN: 0321224094



Introduction

Privacy is one of the greatest concerns these days. For that reason, people want to work with companies that can be trusted and trust will be tested in the management and control of their personal information.

Privacy Enhancing Technologies are getting important more and more each day. Not knowing whether it's safe to share your information or use technology can be frustrating. We all want to be able to trust that the new software on our computer won’t send data across the Internet. We all give away our personal data across the Internet because companies are asking us, but they should manage the collected data the proper way.

About the author

J. C. Cannon, privacy strategist at Microsoft’s Corporate Privacy Group, specializes in implementing application technologies that maximize consumer control over privacy and enable developers to create privacy-aware applications. He works closely with Microsoft product groups and external developers to help them build privacy into applications.

Inside the book

The book consists of three parts, and each of them has its own specific focus. That is practical, because the reader can read just the part he is interested in, yet on the another hand, he can read the whole book and profit with more knowledge.

The first chapter is called “An overview of Privacy” and that is exactly what it is. Cannon describes some practical experiences related to privacy. This chapter is an overview of data we give away across the Internet, of application that we use.

The second chapter is dedicated to privacy-enhancing technologies (PETs) and privacy-aware technologies (PATs). Some of the important PETs for identify are: anonymizers, pseudonymizers, history-clearing tools, popup blockers, antispam, spyware, cookie managers, secure file deletion, and online privacy protection suites. Another section, covering PATs, is written like a group of advice for pointing the importance of PATs out. Cannon also explains privacy settings, both for users (costumers) and organizations.

When it comes to security, legislation is the second most important thing. Legal regulations change the way companies do business, and develop software solutions. The third chapter covers major pieces of international privacy legislation that every company must obey. Another way to get users to feel better about doing business with companies is subscription to privacy-certification programs which is evidence that company has passed certain criteria to achieve the seal.

After some sort of introduction to privacy, the author goes further and writes about managing privacy. He starts with the Windows operating system so the fourth chapter looks at various Windows components and applications that communicate with the Internet. It’s very useful for users to read this chapter because they will get knowledge about information being sent across the Internet, but most important they will learn how to control the sending process. This chapter covers group policy, windows error reporting, automatic updates, my recent documents, Windows Media Player 9, and Microsoft Office 2003. While Cannon writes about Microsoft related applications, users must examine applications written by other companies as well.

Spam is one of the biggest problems in communication nowadays. Here, spam isn’t just unsolicited e-mail with attempt to sell something to receiver. It’s considered as invasion of a right called communication privacy. The author covers spam costs, litigation, and what users can do to fight spam. Advice mentioned here is categorized as ones for individuals, ones for companies, and ones for developers. Several approaches to fight spam are described together with some server-side and e-mail-friendly antispam solutions.

Not only applications are an invasion to our privacy, but also devices (gadgets) and other technology. The sixth chapter describes some cool devices whose features on the surface looks rather innocuous. But, these devices can be used to invade a person’s privacy (e.g. radio frequency identification tag, surveillance systems, etc.). These devices provide many ways that people can be tracked and exposed. Yet, not many people would trade their privacy for their feeling of secure. They choose not to have new technology if it can damage their privacy seriously.

It’s not enough only to understand privacy and to have will or power to fight for it. For companies involved in software development it’s important to have the right organizational infrastructure. By having a set of privacy policies, companies can avoid a lot of costly entanglements. Those privacy policies should govern collection, storage, sharing, and retention of data being collected. Companies must select the right people who can build a strong privacy infrastructure. To build mentioned infrastructure is worth money because not having these infrastructure can cost a much more.

Customer service is an important part of any business. Chapter eight covers privacy response center as better approach to handling the possible privacy issues. The more reported privacy issues they have, the more they are successful. But, on the other hand, if they handle privacy issue improperly, they can damage a company’s reputation. The author covers various aspects of creating a privacy response center, so the establishment of one is an obvious conclusion.

Privacy Preferences Project (P3P) is a new concept of managing cookies based on user web site’s policy and the user privacy preferences. Chapter nine is dedicated to P3P and it covers the whole process of deploying P3P at a web site. The process if followed by browser integration. And for those who are not technically savvy with XML, a few P3P creation tools are presented.

Many of people ask their selves when the privacy process should start and when should end it. Chapter ten is answering these questions. It also provides guidance in learning what companies need to do to be successful at privacy development. The whole process is covered with figures and explanations. This is a great section for companies building software.

As a continuity of development process, Cannon describes dataflow diagrams that will provide basic needs on how they can be used in performing a privacy analysis. Chapter eleven brings some helpful hints for diagramming and explains application decomposition. That way developer can make a good way to visually validate the data.

After some privacy-aware considerations, chapter twelve presents a sample application PSample that has many of the privacy features that should be included in application. Cannon covers program design, process of installation, some sample files and settings. It’s a very simple example of adding privacy awareness to program code.

Protecting database data is a topic covered in chapter thirteen. Databases are in our lives every day, also are the people who want to gain access to their sensitive data. This chapter includes four approaches: physical security, programmatic security, and transaction auditing and data minimization. What follows are some additional approaches which are more technical. After reading this chapter, reader will get basic knowledge of the minimization principle that should be applied to the data.

Another example in this book is the example of application that shows how role-based access to data can be managed. This example can do a lot to help the enforcement of a company’s privacy policies.

In the last chapter digital rights management is presented as a series of technologies that protect copyrights and intellectual property.

About the CD-ROM

The accompanying CD-ROM contains template files, web pages, and source code. The content is organized by chapter. It doesn’t cover whole 15 chapters, just few of them but it provides additional privacy resources.

My 2 cents

As mentioned before, the book is divided in three parts and each of them has its own specific focus. The first part is dedicated to everyone interested in privacy. The second part is specific for organization, and the third part covers developers interesting themes.

All three parts offer an overview of privacy. Whether you are manager, IT professional, developer, or security specialist, this book will get you some quality information you need to protect your customers and your organization.

The subtitle of this book is “What developers and IT professionals should know” but, for customers is recommended to read the book because it is offering basic things about privacy needs and it will make them look at their private information in a different way.



Spotlight

USBdriveby: Compromising computers with a $20 microcontroller

Posted on 19 December 2014.  |  Security researcher Samy Kamkar has devised a fast and easy way to compromise an unlocked computer and open a backdoor on it: a simple and cheap ($20) pre-programmed Teensy microcontroller.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Fri, Dec 19th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //